A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.
The Zoom API is how an app or AI agent works with a Zoom account: scheduling a meeting, listing and updating meetings, ending a running one, reading cloud recordings and transcripts, and pulling reports on who attended. Access is granted through an OAuth access token, and a set of scopes decides which areas a call can read or write and how far across the account it reaches. Zoom can also push events, like a meeting starting or a recording finishing, to a registered endpoint.
How an app or AI agent connects to Zoom determines what it can reach. There is a route for an internal app that authenticates with its own credentials, a route for an app that acts on behalf of a Zoom user, a hosted server that exposes Zoom tools to agents, and an event stream, each governed by the access token behind it and the scopes that token carries.
An internal app authenticates with its own credentials and the account_credentials grant, with no user login, redirect, or refresh token. An account administrator authorizes the scopes the app may use. The access token lasts one hour and is fetched again when it expires.
A user-managed app sends a Zoom user through the standard OAuth 2.0 authorization-code flow to consent to a set of scopes. The app exchanges the code for an access token, valid for one hour, plus a refresh token to renew it. The token acts on behalf of that user.
Zoom's hosted Model Context Protocol server at https://mcp.zoom.us/mcp/zoom/streamable exposes Zoom meetings, recordings, transcripts, summaries, and assets to AI agents, with focused servers for Docs and Whiteboard alongside it. It authenticates with an OAuth access token sent as a Bearer token, scoped the same way as the REST API.
Zoom POSTs an event to an HTTPS endpoint registered on an app for the chosen events. The receiver validates each delivery against the app's secret token to confirm it came from Zoom. An app can hold up to 20 event subscriptions, and each event still requires the matching read scope.
An internal app fetches an access token with its account ID, client ID, and client secret using the account_credentials grant. There is no user login, redirect, or refresh token, and an administrator authorizes the available scopes. The token lasts one hour.
A published or user-managed app uses the authorization-code flow, where a Zoom user consents to scopes in a browser. The app receives an access token valid for one hour and a refresh token to renew it, and the token acts as that user.
The Zoom API is split into areas an agent can act on, like meetings, webinars, users, cloud recordings, and reports. Each area has its own methods and its own scopes, and some return personal data such as participant email addresses.
List, create, read, update, and delete a user's meetings, and end a running meeting.
List a meeting's registrants, add a registrant, and approve, deny, or cancel registrations.
List, create, read, update, and delete webinars, and manage their registrants.
List the users on an account, read a single user's profile, and create a user.
List a user's cloud recordings, read a meeting's recordings, and delete a meeting's recordings.
Read a user's past meetings, a meeting's detail report, and the list of participants in a past meeting.
Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.
| Method | Endpoint | What it does | Access | Permission | Version | |
|---|---|---|---|---|---|---|
MeetingsList, create, read, update, and delete a user's meetings, and end a running meeting.6 | ||||||
| GET | /users/{userId}/meetings | List the meetings scheduled by a user. | read | meeting:read:list_meetings | Current | |
Classic scope: meeting:read. The :admin variant (meeting:read:list_meetings:admin) lists meetings for any user on the account. Acts onmeeting Permission (capability) meeting:read:list_meetingsVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
| POST | /users/{userId}/meetings | Schedule a new meeting for a user. | write | meeting:write:meeting | Current | |
Classic scope: meeting:write. Counted against the limit of 100 meeting create or update requests per user per day. Acts onmeeting Permission (capability) meeting:write:meetingVersionAvailable since the API’s base version Webhook event meeting.createdRate limitMedium SourceOfficial documentation ↗ | ||||||
| GET | /meetings/{meetingId} | Get a meeting's details, including its join URL and settings. | read | meeting:read:meeting | Current | |
Classic scope: meeting:read. Acts onmeeting Permission (capability) meeting:read:meetingVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| PATCH | /meetings/{meetingId} | Update a meeting's topic, time, or settings. | write | meeting:update:meeting | Current | |
Classic scope: meeting:write. Counted against the limit of 100 meeting create or update requests per user per day. Acts onmeeting Permission (capability) meeting:update:meetingVersionAvailable since the API’s base version Webhook event meeting.updatedRate limitMedium SourceOfficial documentation ↗ | ||||||
| DELETE | /meetings/{meetingId} | Delete a scheduled meeting. | write | meeting:delete:meeting | Current | |
Classic scope: meeting:write. Only one delete can run at a time per user. A meeting in progress cannot be deleted. Acts onmeeting Permission (capability) meeting:delete:meetingVersionAvailable since the API’s base version Webhook event meeting.deletedRate limitLight SourceOfficial documentation ↗ | ||||||
| PUT | /meetings/{meetingId}/status | End a running meeting by sending the end action. | write | meeting:update:status | Current | |
Classic scope: meeting:write. The only supported action is end; the call returns 204 No Content on success. Acts onmeeting Permission (capability) meeting:update:statusVersionAvailable since the API’s base version Webhook event meeting.endedRate limitLight SourceOfficial documentation ↗ | ||||||
Meeting registrantsList a meeting's registrants, add a registrant, and approve, deny, or cancel registrations.3 | ||||||
| GET | /meetings/{meetingId}/registrants | List the registrants of a meeting. | read | meeting:read:list_registrants | Current | |
Classic scope: meeting:read. Registrant records include names and email addresses. Acts onregistrant Permission (capability) meeting:read:list_registrantsVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| POST | /meetings/{meetingId}/registrants | Add a registrant to a meeting that has registration enabled. | write | meeting:write:registrant | Current | |
Classic scope: meeting:write. Adds a real person to the meeting and can trigger a confirmation email. Acts onregistrant Permission (capability) meeting:write:registrantVersionAvailable since the API’s base version Webhook event meeting.registration_createdRate limitLight SourceOfficial documentation ↗ | ||||||
| PUT | /meetings/{meetingId}/registrants/status | Approve, deny, or cancel meeting registrations in a batch. | write | meeting:write | Current | |
Granular scope: meeting:update:registrant_status. Classic scope: meeting:write. The action is approve, deny, or cancel. Acts onregistrant Permission (capability) meeting:writeVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
WebinarsList, create, read, update, and delete webinars, and manage their registrants.7 | ||||||
| GET | /users/{userId}/webinars | List the webinars scheduled by a user. | read | webinar:read:list_webinars | Current | |
Classic scope: webinar:read. Webinars require a paid Zoom Webinars plan on the host's account. Acts onwebinar Permission (capability) webinar:read:list_webinarsVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
| POST | /users/{userId}/webinars | Schedule a new webinar for a user. | write | webinar:write:webinar | Current | |
Classic scope: webinar:write. Requires a Zoom Webinars plan on the host's account. Acts onwebinar Permission (capability) webinar:write:webinarVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
| GET | /webinars/{webinarId} | Get a webinar's details and settings. | read | webinar:read:webinar | Current | |
Classic scope: webinar:read. Acts onwebinar Permission (capability) webinar:read:webinarVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| PATCH | /webinars/{webinarId} | Update a webinar's topic, time, or settings. | write | webinar:update:webinar | Current | |
Classic scope: webinar:write. Acts onwebinar Permission (capability) webinar:update:webinarVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| DELETE | /webinars/{webinarId} | Delete a scheduled webinar. | write | webinar:delete:webinar | Current | |
Classic scope: webinar:write. Acts onwebinar Permission (capability) webinar:delete:webinarVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| GET | /webinars/{webinarId}/registrants | List the registrants of a webinar. | read | webinar:read:list_registrants | Current | |
Classic scope: webinar:read. Registrant records include names and email addresses. Acts onregistrant Permission (capability) webinar:read:list_registrantsVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| POST | /webinars/{webinarId}/registrants | Add a registrant to a webinar. | write | webinar:write:registrant | Current | |
Classic scope: webinar:write. Adds a real person and can trigger a confirmation email. Acts onregistrant Permission (capability) webinar:write:registrantVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
UsersList the users on an account, read a single user's profile, and create a user.3 | ||||||
| GET | /users | List the users on an account. | read | user:read:list_users | Current | |
Classic scope: user:read:admin. Returns names and email addresses for users on the account. Acts onuser Permission (capability) user:read:list_usersVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
| GET | /users/{userId} | Get a single user's profile. | read | user:read:user | Current | |
Classic scope: user:read. Returns the user's ID and email address. Acts onuser Permission (capability) user:read:userVersionAvailable since the API’s base version Webhook eventNone Rate limitLight SourceOfficial documentation ↗ | ||||||
| POST | /users | Create a user on the account. | write | user:write:user | Current | |
Classic scope: user:write:admin. Creates a real account and can send an activation email. Acts onuser Permission (capability) user:write:userVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
Cloud recordingsList a user's cloud recordings, read a meeting's recordings, and delete a meeting's recordings.3 | ||||||
| GET | /users/{userId}/recordings | List a user's cloud recordings. | read | recording:read | Current | |
Granular scope: cloud_recording:read:list_user_recordings. Classic scope: recording:read. Cloud recording requires a paid plan with cloud recording enabled. Acts onrecording Permission (capability) recording:readVersionAvailable since the API’s base version Webhook eventNone Rate limitMedium SourceOfficial documentation ↗ | ||||||
| GET | /meetings/{meetingId}/recordings | Get all cloud recordings for a meeting, including video, audio, and transcript files. | read | cloud_recording:read:recording | Current | |
Classic scope: recording:read. The response holds download URLs for the recording files. Acts onrecording Permission (capability) cloud_recording:read:recordingVersionAvailable since the API’s base version Webhook event recording.completedRate limitHeavy SourceOfficial documentation ↗ | ||||||
| DELETE | /meetings/{meetingId}/recordings | Delete all cloud recordings for a meeting. | write | recording:write | Current | |
Granular scope: cloud_recording:delete:meeting_recording. Classic scope: recording:write. The action can move files to trash or delete permanently. Acts onrecording Permission (capability) recording:writeVersionAvailable since the API’s base version Webhook eventNone Rate limitHeavy SourceOfficial documentation ↗ | ||||||
ReportsRead a user's past meetings, a meeting's detail report, and the list of participants in a past meeting.3 | ||||||
| GET | /report/users/{userId}/meetings | List the past meetings hosted by a user within a date range. | read | report:read:list_meetings | Current | |
Classic scope: report:read:admin. Reports require a Pro or higher plan. Acts onreport Permission (capability) report:read:list_meetingsVersionAvailable since the API’s base version Webhook eventNone Rate limitHeavy SourceOfficial documentation ↗ | ||||||
| GET | /report/meetings/{meetingId} | Get the detail report for a single past meeting. | read | report:read:meeting | Current | |
Classic scope: report:read:admin. Reports require a Pro or higher plan. Acts onreport Permission (capability) report:read:meetingVersionAvailable since the API’s base version Webhook eventNone Rate limitHeavy SourceOfficial documentation ↗ | ||||||
| GET | /report/meetings/{meetingId}/participants | List the participants of a past meeting. | read | report:read | Current | |
Granular scope: report:read:list_meeting_participants. Classic scope: report:read:admin. Returns participant display names and, for users on the account, email addresses. Acts onreport Permission (capability) report:readVersionAvailable since the API’s base version Webhook eventNone Rate limitHeavy SourceOfficial documentation ↗ | ||||||
Zoom can notify an app or AI agent when something happens in an account, like a meeting starting, a participant joining, or a cloud recording finishing. Zoom posts the event to a webhook URL that has been registered for the chosen events, so an integration learns about activity without polling.
| Event | What it signals | Triggered by |
|---|---|---|
meeting.created | Fires when a meeting is scheduled. | /users/{userId}/meetings |
meeting.updated | Fires when a meeting's topic, time, or settings change. | /meetings/{meetingId} |
meeting.deleted | Fires when a scheduled meeting is deleted. | /meetings/{meetingId} |
meeting.started | Fires when a meeting starts. | In-app only |
meeting.ended | Fires when a meeting ends, whether it timed out or was ended through the API. | /meetings/{meetingId}/status |
meeting.participant_joined | Fires when a participant joins a meeting. The matching read scope on the participant is required to subscribe. | In-app only |
meeting.participant_left | Fires when a participant leaves a meeting. | In-app only |
meeting.registration_created | Fires when someone registers for a meeting that has registration enabled. | /meetings/{meetingId}/registrants |
recording.completed | Fires when a cloud recording finishes processing and is ready to download. The matching cloud recording read scope is required to subscribe. | In-app only |
Zoom limits how fast and how much an app or AI agent can call, by sorting each method into a request type and metering it per second, with a separate daily cap on the heaviest calls, both scaled to the account's plan.
Zoom sorts each method into one of four request types that decide its limit: Light, Medium, Heavy, and Resource-intensive. Getting a meeting and adding a registrant are Light, listing or creating a meeting is Medium, getting or deleting recordings and reading reports are Heavy, and listing all account recordings or daily usage reports are Resource-intensive. The per-second ceiling for each type scales with the account plan: a Free or Basic account gets 4 Light, 2 Medium, and 1 Heavy request per second; a Pro account gets 30, 20, and 10; and a Business, Education, Enterprise, or Partner account gets 80, 60, and 40. Free and Basic accounts also carry daily caps of 6,000 Light, 2,000 Medium, and 1,000 Heavy requests, while Pro accounts share a 30,000-per-day cap and Business and higher a 60,000-per-day cap across Heavy and Resource-intensive calls. Separately, each user is limited to 100 meeting or webinar create and update requests per day, resetting at 00:00 UTC. Going over returns HTTP 429, and the X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Type, and X-RateLimit-Reset headers report the current state.
List endpoints page through results with a page size set by page_size, which tops out at 300 and defaults to 30. A response returns a next_page_token, and passing it on the next request fetches the following page; the token expires after about 15 minutes. Some older endpoints instead use a 1-based page_number, which is being phased out in favor of the token.
List endpoints return at most 300 records per page through page_size. A next_page_token is valid for roughly 15 minutes. Report endpoints accept a date range of up to one month per request.
The status codes an agent should handle, and what to do about each.
| Status | Code | Meaning | What to do |
|---|---|---|---|
| 124 | Invalid access token | The access token is missing, malformed, or expired. Zoom returns this with HTTP 401 and the body code 124. An access token lasts one hour. | Fetch a fresh access token, for a Server-to-Server OAuth app with the account_credentials grant, or for a user app by refreshing the token, then retry. |
| 401 | Unauthorized | Authentication failed. The token is invalid or expired, often reported with the body code 124. | Confirm the Authorization header carries a valid Bearer token for the right app, and refresh it if it has expired. |
| 400 | Bad Request | The request is invalid or a required scope is missing. Zoom often reports a missing scope with the body code 4711, naming the scope the request needs. | Read the message, add the named scope to the app and re-authorize, or correct the request body, then resend. |
| 300 | Validation / invalid parameter | A request parameter is invalid, for example a malformed meeting setting. Zoom returns this with the body code 300. | Correct the named parameter and resend; the request is not retryable as-is. |
| 404 | Not Found | The meeting, user, or other resource does not exist or is not visible to this token. A user not on the account returns the body code 1001. | Confirm the ID is correct and the token's account or user can see the resource. |
| 429 | Too Many Requests | A rate limit was exceeded. The message names whether a per-second or daily limit was hit, and the X-RateLimit headers report the limit, the type, and when it resets. | For a per-second limit, back off until the X-RateLimit-Reset time; for a daily limit, wait for the Retry-After time, which is the next UTC midnight. |
Zoom serves a single current version of its REST API, version 2, and ships dated changes through a developer changelog rather than minting new version numbers.
Version 2 is the current Zoom REST API, served from https://api.zoom.us/v2 with OAuth access tokens. Rather than minting dated versions, Zoom ships new methods, scope changes, and deprecations through its developer changelog, so an integration tracks the changelog. The largest recent change is the move from classic scopes to granular scopes, named resource:action:object, with a migration path for existing apps.
Zoom expanded its Model Context Protocol server so AI agents can reach meeting summaries, transcripts, recordings, notes, action items, and collaboration history across supported AI platforms, with agentic search across Zoom Meetings, Chat, and Phone. The capabilities were announced as available on 18 May 2026.
Zoom introduced granular and optional scopes, a finer permission model named resource:action:object, alongside the existing classic scopes, and published a migration guide. Granular scopes let an app request one operation on one object rather than a broad classic scope covering many operations.
An integration tracks the changelog for new methods, scope changes, and deprecations.
Zoom developer changelog ↗Bollard AI sits between a team's AI agents and Zoom. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.